Mirror
/
cpython
mirror of https://github.com/python/cpython
4
1
Fork 0
Code Issues Releases Wiki Activity

gh-97616: list_resize() checks for integer overflow (#97617) 

Fix multiplying a list by an integer (list *= int): detect the
integer overflow when the new allocated length is close to the
maximum size.  Issue reported by Jordan Limor.

list_resize() now checks for integer overflow before multiplying the
new allocated length by the list item size (sizeof(PyObject*)).
This commit is contained in:
Victor Stinner 2022-09-29 00:07:07 +02:00 committed by GitHub
parent 81b9d9ddc2
commit a5f092f3c4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Lib/test/test_list.py
View File

@ -96,6 +96,19 @@ class ListTest(list_tests.CommonTest):
self.assertRaises((MemoryError, OverflowError), mul, lst, n)
self.assertRaises((MemoryError, OverflowError), imul, lst, n)
def test_list_resize_overflow(self):
# gh-97616: test new_allocated * sizeof(PyObject*) overflow
# check in list_resize()
lst = [0] * 65
del lst[1:]
self.assertEqual(len(lst), 1)
size = ((2 ** (tuple.__itemsize__ * 8) - 1) // 2)
with self.assertRaises((MemoryError, OverflowError)):
lst * size
with self.assertRaises((MemoryError, OverflowError)):
lst *= size
def test_repr_large(self):
# Check the repr of large list objects
def check(n):

3
Misc/NEWS.d/next/Security/2022-09-28-17-09-37.gh-issue-97616.K1e3Xs.rst Normal file
View File

@ -0,0 +1,3 @@
Fix multiplying a list by an integer (``list *= int``): detect the integer
overflow when the new allocated length is close to the maximum size. Issue
reported by Jordan Limor. Patch by Victor Stinner.

10
Objects/listobject.c
View File

@ -76,8 +76,14 @@ list_resize(PyListObject *self, Py_ssize_t newsize)
if (newsize == 0)
new_allocated = 0;
num_allocated_bytes = new_allocated * sizeof(PyObject *);
items = (PyObject **)PyMem_Realloc(self->ob_item, num_allocated_bytes);
if (new_allocated <= (size_t)PY_SSIZE_T_MAX / sizeof(PyObject *)) {
num_allocated_bytes = new_allocated * sizeof(PyObject *);
items = (PyObject **)PyMem_Realloc(self->ob_item, num_allocated_bytes);
}
else {
// integer overflow
items = NULL;
}
if (items == NULL) {
PyErr_NoMemory();
return -1;